Power companies present cybersecurity gaps

May 10, 2013
|

Army Gen. Keith Alexander, commander of the U.S. Cyber Command, testifies on Capitol Hill in Washington in this Sept. 23, 2010, photo. He said Friday that utility companies are potentially vulnerable to cyberattacks on their power grids. / Manuel Balce Ceneta, AP

by Jim Michaels, USA TODAY

by Jim Michaels, USA TODAY

WASHINGTON -- The U.S. military's top cybercommander said some of the nation's utility companies have lagged in investing in network security, raising concerns about the vulnerability of the nation's critical infrastructure.

"The power industry has a wide scale, from companies that are very good to companies that need a lot of work and a lot of help," Gen. Keith Alexander, commander of Cyber Command, said Friday.

"The power companies are really the ones who have the biggest problem because if you say, 'we want you all to be here,' some of them can't get there," Alexander said, referring to security standards.

Alexander made the remarks in response to questions from the audience after speaking at a meeting of the Northern Virginia Technology Council.

Power companies are a concern because terrorists or future enemy nations may attempt to use hackers to take down parts of the nation's power grids.

Strengthening security standards is not enough, Alexander said.

"Telling them they have to meet a standard that they can't meet is very difficult and that's part of the push back," Alexander said. "From my perspective this is one of the big problems we have."

Alexander said power companies have evolved in a regulatory environment that limited profit margins and made costly investments in security more difficult. "They don't have the cash on hand to do it," he said.

By contrast, defense contractors and the banking industry have more money and incentive to invest in security.

Martin Libicki, a cybersecurity expert at Rand Corp., said utility companies have lagged in security, but he said it isn't a question of regulation, since companies can pass costs on to consumers.

He said utility companies have traditionally worried more about protecting physical plants than computer networks. Libicki said that is changing.

Still, Libicki said a cyberattack on America's utilities is not imminent. He said terrorist groups lack the capabilities and Russia and China, which have sophisticated capabilities but have no motive.

He said North Korea and Iran also probably lack the capability to mount an effective attack on America's power grid.